New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Perhaps the configserver firewall which allows:
https://www.configserver.com/cp/csf.html
ipset
Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?
One liner to handle it:
ip route add blackhole 0.0.0.0/0
You probably can’t unless you have access to the databases used by Netflix, etc.
You can create those databases by tracerouting visitor's networks.
That is nigh on impossible, really. There are lists of IP ranges that are DC that host VPN providers but a reliable, well maintained, list with few false positives will likely cost money (and not a small amount since the only indication I can see on MaxMind's page is "contact sales") to subscribe to or effort to create and maintain yourself.
That will be far from 100% effective. Even that there are lot of things that will fall through the cracks. A lot of browser extension hacks and other malware these days are as part of their payload turning residential PCs into high latency network access relays, transfer through which is sold on. Reliably detecting and blocking people using those is not practical. Big services like Netflix won't care, as such relays are usually unsuitable for high quality video, but they are useful to people who want to disguise their location in order to access something that works with lower bandwidth and higher latency (like whatever you are hosting, most likely). You'll never keep them all out, even MaxMind's dataset probably won't.
Unless for some reason you expect massive legal trouble or other expense if someone from elsewhere has access to the information, I would stick with the more feely available GeoIP lists, pump those into your firewall, call that "due diligence enough" and if someone gets in via a VPN then that isn't your responsibility.
Make iPhone app.
Ask user to enable location.
If GPS says they are in North America, allow access.
Ask user to enter postal address.
Search their address to ensure it's not a virtual mailbox such as UPS store.
Mail a PIN number to their address, with return service requested.
If user enters PIN number correctly, allow access.
Both approaches have been adopted by major banks, and they work pretty well.
If you're using CloudFlare they pass the geolocation of the visitor in a header: https://support.cloudflare.com/hc/en-us/articles/200168236-What-does-Cloudflare-IP-Geolocation-do-
Supported on the Free Plan.
These are good comments, except I'd add that paid access may not be as expensive as feared. For example, I've used https://iphub.info which is pretty OK.
As written in the quote, a bit depends on how accurate you want to be. For one site I look after, I do approximately this:
iptables
list from https://www.ipdeny.comBeyond that it gets a bit reactive. I periodically do an automated scan of the logs and sometimes block entire ASNs (DO, Vultr, Linode, AWS, GC, ...). If you're using a monitoring service that hosts with any of these, you might need to be a bit careful, but in my case I don't care.
Even after doing this, note that there are places that will give you a residential IP, most commonly using US cable internet (and specifically Comcast/Spectrum). Just check WHT to see the offers. The other day there was a 1-minute burst where I was suddenly getting peppered by "residential" Comcast/Spectrum/Charter IPs with the same request pattern. These tend to be the most difficult ones to filter out. I use stick tables and stuff with the UserAgent, but don't expect I'll catch everything.
As also said earlier, the steps you take do depend on why you're trying to do it - legal obligation, prevent hacking/scraping, your own annoyance, etc. The above is what I've done and works OK for my specific needs/user base/locations.
Always many ways to skin a cat ...
Cloudflare allows you to block by region, so it is even quicker and easier to accomplish this as well as the many other security benfits it offers.
Never been on the backend of whmcs, but if it is php based, CIDRAM can block VPNs/TORs as well as a multitude of other criteria.
IF you are using cloudflare dns, then simply add Country: America to firewall settings.
Can't tell you because I'm not from North America.
Ironic when the most nefarious traffic that I see comes from USA.
Efficient way is by using an ipdeny.com list for USA (as was previously mentioned). Load this list in IPSET, then allow this IPSET in IPTABLES. Drop everything else.
People who want to see your page will find a way to see it. You can block other world and slow them.
I haven't tryed cloudflare, but I think it's the most easy. Config server which is recommended by raindog is quite easy too. Ipset + Maxmind isn't hard either. There are many options. None is 100% effective.
You can export the IP list for USA & Canada from https://www.ip2location.com/free/visitor-blocker and use ipset and iptables to filter.
Use a GeoDNS service and set the IPs accordingly.